Wordpress ExploitWorldpress Exploit
Exploits result from the behavior of PHP's built-in "phar://" stream wrapper, helping it to deploy sophisticated asset management functions for various different web browsing protocols, investigators said this weekend. Phar archive are usually used to store self-extracting or self-contained apps, said investigators. "This means that when a filename operations attempts to gain control of the archived filenames, they must be deserialized or transformed from simple strings to object, which happensutomatically.
According to the investigators, however, this trial has problems that allow poor performers to remotely execute codes. You can do this by putting a malicious generated data set in the repository, which is desialized and run by the legitimated server processing. "It is a novel, PHP-specific attacking technology that can lead to deserialization in a wide range of exploit scenarios," said Sam Thomas with Secarma in a whitepaper about the assault.
The exploitation of the weak spot is divided into two phases, said investigators. Initially, an attacker would place a legitimate phar array with the load bearing item in the victim's locale filesystem. Then he or she would initiate a triggers on a " phar:// " pathname that relates to the filename. "Any XXE problems whose maximal effects were previously seen as files being disclosed when off-exchange communications were possible must now be seen as possible problems with executing codes, regardless of whether off-exchange communications are possible or not," Thomas said.
In WordPress, an attacker would need permissions to post and change elements of the medium to get enough power over the parameters, said investigators. Tomas said he called WordPress about the problem in February 2017 - but it has not been fixed at the moment of the letter. Besides WordPress, the problem affects several other CMS, such as Typo3, as well as the widely used PDF creation libraries TCPDF.
This kind of insecure, non-secure, unialized process in PHP was discovered earlier - the problem was first introduced by Stefan Essar in 2009, and the subject is tightly related to similar bugs, among them CVE-2017-12934 and CVE-2017-12933). "In recent years, there have also been several weaknesses in virgin coding that implement deserialization and highlight the risks of deserialization by attacker-driven data," said investigators.
Regarding the reduction, the scientists said that it doesn't seem possible to deactivate the Phar expansion via the switch line option in the preferences. But preventing the vulnerability begins with locking attacker-driven information that could cause streaming wrappers: "In order to avoid exploiting this problem, it is essential to avoid using attacker-driven information at the beginning of a filename that is used in one of the filename wrapping actions that can cause streaming wrappers," they said.
Update this August 21 at 16:30 to further explain certain of the privileges an attacker would need to perform a WordPress-based onslaught.